MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9a3467911eaf0122aade59ef8636d005f251ef1e6fb23295bdac92376ae0fb82. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 4


Intelligence 4 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9a3467911eaf0122aade59ef8636d005f251ef1e6fb23295bdac92376ae0fb82
SHA3-384 hash: 16b41b2b8fb243697d6fb086e9bda6aee7a127c0c56973e881cdf66d01badb7b59cfaead09d6a024473c79feecadc6e6
SHA1 hash: 98fd3e0bfb43d17534ed4ef4532a07645137ffbe
MD5 hash: ef75f86a924894fec1dac693d329a7ab
humanhash: skylark-oregon-cola-five
File name:Ursnif
Download: download sample
Signature Gozi
Create hunting rule
File size:326'656 bytes
First seen:2020-06-10 07:24:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 8c64340f7290dc1d326dec0be34eeebd (1 x Gozi)
ssdeep 3072:JRi6SsIp2dyonjf5XAMIbOhSylHQbOI/M3I7R/u0aEHulAb5oDcyswz7Vx:6JQzVAbvylHQbOj3I7R/Pp6Lswz7b
Threatray 151 similar samples on MalwareBazaar
TLSH C364F530A5008739F4E100B6B6A6B9FB95D85620C37524FF61EC749DD2296E228BD7F3
Reporter JAMESWT_WT
Tags:Gozi

Intelligence

File Origin
# of uploads :
1
# of downloads :
84
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Threat name:
Win32.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-06-04 16:36:07 UTC
File Type:
PE (Exe)
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ti2gpei6v4asfkw6lhxymnwqaxzfd3y6n6zdffn5vsjdo2xa7oba._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
1dd04b1aea9ce6cfbfc02b62522f7f3c65b4e0cddf89d17ab36387f4de62ef24
Gozi
2026e97bd58d8848dbd55664417790d5ee804bc2fe86ad054cb6a304d2d39a6b
Gozi
4bfb087f701703022fb2d67bc0ee97440d36027d591b6c60ffdf92bb262bf734
Gozi
556d872d8195d87cfc65687c8d99dd0cab17ae02836e31a55bef0e7894e45d4d
Gozi
6746b12200fed6aeb1764594c84ecd3485e74114325c150ba41d12c555b182eb
Gozi
6a473e38f47d6ec7d3dcdcd4ccd8e1d8d9e388d1b8b169011bf89c273327d5a3
Gozi
7bc9d1453bb84033fd82500f10db64cbf221c4286ed3eba7928249dae6d67675
Gozi
971614ec400a624969d1c3c83bb0b55859a7f069e16c9b4a448527c1b2697dde
Gozi
9d0cbdaa28c492fc8deef2174cda055883c9659ecef8b55b502bf75dd59edaea
Gozi
bd6840cc208517847e130db0c847e715ba80a88e210e6383b37c1d0381877ee5
Gozi
+ 141 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/201109-1tqve6tw9j/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ursnif
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory
Reference:internal research
Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments